Security management system for monitoring firewall operation

ABSTRACT

A test method for Internet-Protocol packet networks that verifies the proper functioning of a dynamic pinhole filtering implementation as well as quantifying network vulnerability statistically, as pinholes are opened and closed is described. Specific potential security vulnerabilities that may be addressed through testing include: 1) excessive delay in opening pinholes, resulting in an unintentional denial of service; 2) excessive delay in closing pinholes, creating a closing delay window of vulnerability; 3) measurement of the length of various windows of vulnerability; 4) setting a threshold on a window of vulnerability such that it triggers an alert when a predetermined value is exceeded; 5) determination of incorrectly allocated pinholes, resulting in a denial of service; 6) determining the opening of extraneous pinhole/IP address combinations through a firewall which increase the network vulnerability through unrecognized backdoors; and 7) determining the inability to correlate call state information with dynamically established rules in the firewall.

RELATED APPLICATIONS

The present application is a continuation of U.S. patent applicationSer. No. 10/679,222 which was filed on Oct. 3, 2003 and which is herebyexpressly incorporated by reference.

FIELD OF THE INVENTION

The present invention relates generally to the field of communicationsand, in particular, to methods and apparatus for testing certainsecurity aspects of firewalls used in packet networks.

BACKGROUND OF THE INVENTION

The transmission of voice signals over a packet network offers economiesof scale which make it likely that common carriers will, over time,evolve their circuit switched voice networks into converged servicespacket switched networks that will transport voice traffic in packets.The full realization of this voice over packet network paradigm,however, will likely be delayed until the security of the voice trafficcarried over the packet network is improved to the point at which itrivals that of present day circuit switched networks.

A likely protocol to be employed in a voice over packet network isInternet Protocol, or more conveniently, IP. Accordingly, such networksare oftentimes referred to as voice over Internet Protocol networks(VoIP).

IP has become attractive for such applications, in part, because of itsubiquity. Unfortunately however, IP and networks designed thereon sufferfrom a lack of security as a legacy of how IP networks were originallydesigned with little or no security functions built in. Recent attemptsto remedy the security deficiencies of IP have focused on protocolenhancements such as those which include the incorporation of IPSecurity(IPSec) at the Network Layer, and other schemes at the Application Layer(e.g., application security protocols).

In VoIP networks, these new security enhancements can be difficult toimplement, either because of the distributed nature of VoIP networks(many hops), or because they frequently utilize digitalcertificate-based key systems which are difficult to manage—especiallyfor large, common carrier size networks. One alternative is to protectcrucial network assets, such as server farms of media gateways,signaling gateways, and softswitches by employing network perimeterprotection devices that block unwanted and/or potentially nefarioustraffic from reaching those assets. Unfortunately however, VoIP networkshave specific requirements that make using traditional perimeterprotection devices, such as firewalls, not practical as such devices,and in particular firewalls, typically block unwanted traffic on aspecific IP port in a static manner, i.e., specific ports areallowed/excluded independent of time.

In a VoIP network, ports used to carry the media part of a call arenormally dynamically assigned through signaling, released upon calltermination, and reused for subsequent call(s) later. As a result, ascheme was designed that permitted firewalls to open and close portsdynamically, for a specific call, from signaling information obtainedfrom a signaling channel at call setup and call termination. This schemeand related method(s) are sometimes referred to as “dynamic pinholefiltering”, as the firewalls filter traffic dynamically byopening/closing ports (pinholes) depending upon the state and progressof a call. When implemented correctly at the network perimeter, dynamicpinhole filtering advantageously provides protection at a level ofgranularity not realizable through other current security technologies.

As can be appreciated, strict verification of the correctness of adynamic pinhole filtering implementation is of paramount importance as adefective implementation could result in “windows of vulnerability”which could be maliciously exploited to invade the very assets beingprotected. Worse still, a partially correct implementation maycontribute to a false sense of security, while leaving network assetsexposed to malicious attack or takeover. Such windows of vulnerabilitycan, in turn, be used by a malicious attacker for Denial of ServiceAttacks in simple cases. In more complex cases, such windows ofvulnerability can be used by a malicious attacker to takeover networkassets that can be used to control and disrupt other parts of thenetwork.

Accordingly, a continuing need exists for methods that provide orotherwise facilitate the strict verification of security measuresemployed in VoIP networks, and in particular networks utilizing dynamicpinhole filtering. In particular, there is a need for methods ofverifying firewall operation prior to deployment, a need for methods ofdetermining the maximum loading that is possible on a firewall prior toan unacceptable degradation in security and/or service, and there isalso a need for methods of monitoring a firewall while deployed in anactive system to insure that it is operating properly with port openingand closing delays remaining within preselected limits.

SUMMARY OF THE INVENTION

The present invention is directed to firewall testing methods andapparatus. The results of the testing methods can be used to verifycompliance of firewalls to design specifications and/or engineerfirewalls to meet expected loading conditions while providing thedesired level of responsiveness, e.g., in terms of port opening andclosing times. The methods and apparatus of the present invention canalso be used to monitor and test a firewall system while in use in anetwork application. Failures of various tests, e.g., excessive portopening and/or closing times, are detected and reported to a managementsystem. The management system responds to such alarms by limitingtraffic flow, redirecting traffic, performing time and spacecorrelations, root cause analyses, and/or notifying the systemadministrators of the problem.

The testing methods and apparatus of the invention are well suited fortesting firewalls which open and close ports in a dynamic manner tosupport VoIP calls.

Among the features to which the present invention is directed are 1)test apparatus and a testing system; 2) testing methods involving: a)checking whether firewall ports are open and/or closed as dictated byvarious firewall rules and/or b) opening and/or closing delaysassociated with opening and closing ports in response to session signalsused to establish and/or terminate media sessions; 3) determining theeffect of increasing traffic loads, e.g., session signaling loads, onfirewall port opening and/or closing delays; and 4) the monitoring of anactive firewall to a) detect the effect of traffic loading on portopening and/or closing delays, b) generate an alarm when a detectedopening and/or closing delay exceeds a pre-selected threshold; and c)taking one or more actions in response to a generated port opening orclosing delay alarm to reduce the load on the firewall to which thealarm corresponds and/or take other measures to ensure that firewallsecurity is maintained. Additionally, by way of example, a time/spatialfault detector coupled with a root-cause analysis engine could helpsectionalize in time and space where and when one or more securityviolations have occurred in a large network. This may be done bycorrelating the output of various port opening and closing delay timemonitoring devices deployed throughout the network to determine thecause and locality of actions which interfere with proper firewalloperation. The time/spatial fault detector and root-cause analysisengine are, in some embodiments, included in a security managementsystem which receives input from multiple firewalls and/or monitoringsystems distributed throughout the network.

A test system implemented in accordance with the invention includes atleast two novel test apparatus of the present invention, referred to asan Integrated Intelligent End Points (IIEPs). At least one of the testapparatus includes a traffic generator, e.g., a session signalgenerator, and a probe signal generator. The traffic generation module,included in an IIEP, is used for generating call and/or other mediatraffic as part of the test process. The probe signal generator moduleis used to generate test signals which are used to probe whether portsare opened and/or closed. Each EEP also normally includes atraffic/probe signal analysis and/or report generation module includedthat is used to perform analysis on signals, e.g., probe signals,detected passing through the firewall. A timing/synchronization moduleis included in each of IIEP. The timing/synchronization module is usedto synchronize the timing of the IIEP, e.g., to an external clock sourceor another IIEP.

An originating IIEP is positioned “outside” of the firewall within anuntrusted zone and a target IIEP is positioned “inside” of the firewallwithin a trusted zone. The two devices work together to test thefirewall's operation. Each IIEP includes “intelligence”, e.g., controllogic and/or software routines which allow the analysis module andvarious other modules, such as traffic generation and probe signalgeneration modules, to work together in a coherent manner and tointeroperate with other IIEPs to implement the testing method of thepresent invention which will be discussed in detail below.

Thus, the test apparatus of the present invention includes traffic andprobe signal generators located in the untrusted zone outside a firewalland an analysis device located inside a trusted zone positioned behindthe firewall. The probe test signal generator and the analysis device,e.g., analysis module of the IIEP located in the trusted zone, operatein a synchronized manner, with the probe test generator directing testsignals at the firewall's ports, which may be used for media traffic,and the analysis device looking to determine what test signals, if any,pass through the ports and whether such signals should have been allowedthrough the firewall in accordance with the firewall rules. Such rulesmay include rejecting signals from source devices having IP addresseswhich have not been legitimated to the firewall, e.g., not associatedwith an ongoing media session through the use of session signaling. Thefirewall rules may also include rejecting traffic directed from a devicehaving a legitimated IP address but which is directed to a port whichshould not be open. Firewall processing will also normally involvedynamically opening and closing ports in the firewall for mediasessions, e.g., voice or data sessions, associated with an IP addressthat has been legitimated through the use of appropriate sessionestablishment signaling.

In accordance with one feature of the invention, the ability of afirewall to block media signals corresponding to a source address whichhas not been legitimated through session signaling is tested bydirecting traffic at the firewall's media ports from an IP address whichhas not been associated by the firewall with an active media session.Signals which are allowed to pass through the firewall's media portsfrom the source that does not have an IP address associated with anongoing media session are detected and interpreted as indications thatthe firewall filtering on IP addresses is not working properly.

In addition to address filtering, port filtering is also tested. Thecombination of IP address and port identifier is used to identify theport to be accessed. An IP address is legitimated with the firewall byinitiating a media session, e.g., a call. A pair of ports are opened,assuming proper firewall operation for the legitimated IP address, forthe initiated call while the other ports that may be associated with thelegitimated IP address, and used for media signals, should remainclosed. To test the port filtering, test signals are directed at thefirewall's full range of ports using the legitimated IP address as thesource address for the test signals. The test signals should pass the IPaddress filtering portion of the firewall filtering process but shouldbe rejected based on the port portion of the testing process with theexception of the signals directed to the ports that were associated withthe established call. The analysis device monitors during this phase ofthe testing process for signals passing through the firewall and notesany ports through which a signal is received as an open port. Thegenerated list of detected open ports is compared to a list of portsassociated with the source IP address which should be open, e.g., theports assigned to the ongoing call. Ports through which signals werereceived that should not have been open are identified as erroneouslyopen ports. If a port should have been open, and it is a port fortraffic going in the direction of the analysis device, and a signal wasnot received through the port, the port is identified as beingerroneously closed. The testing of the port open/closed status for thelegitimated IP address is indicative of how the firewall would respondto signals directed from another legitimated IP address to such ports

In addition to IP address and basic port filtering, the rate at whichports are opened and closed in response to session establishment andsession termination signals, e.g., traffic signals, is monitored. Probetest signals are directed at the firewall's ports associated with asource IP address that was used to initiate a call or other mediasession. The time between the session establishment signal, which shouldtrigger port opening, and the time a port corresponding to the sessionbeing established is opened is measured. In various embodiments this isdone by detecting the time between the signal which should cause a portto open and the time a test probe signal passes through the firewallport associated with the established session as detected by the analysisdevice located on the trusted side of the firewall. Port closing delayis tested in a similar manner with the analysis module measuring thetime delay between a session signal which should cause the portcorresponding to an established session to close and the time probe testsignals cease passing through the port associated with the terminatedsession.

To generate a more representative measure of opening and closing delays,multiple calls may be initiated and then terminated. The multiple callsmay each have the same source IP address but use, e.g., be assigned to,different ports in the firewall. The calls may be initiated andterminated in parallel. The measured opening delays corresponding to themultiple calls can, and in various embodiments are, statisticallyaveraged to generate an average measured opening delay. Similarlymeasured closing delays corresponding to the multiple calls can, and invarious embodiments are, statistically averaged to generate an averagemeasured opening delay. Plots of opening and closing delays, e.g.,average delays, measured under different system conditions or measuredfor different systems may be generated and used as an engineering toolin accordance with the invention.

The effect of traffic loading is tested in various embodiments byincreasing firewall traffic, e.g., session signaling which triggers theopening and/or closing ports, and measuring the corresponding openingand closing delays for different traffic loads. A given firewall may bespecified with maximum acceptable port opening and/or closing delaythreshold values, e.g., pinhole opening and/or closing delay thresholdtimes. It is possible, based on testing, in accordance with the presentinvention, to determine the maximum traffic load for the given firewallbefore the operational opening and/or closing delays will exceed themaximum acceptable threshold values, e.g., maximum opening and/orclosing delay times. Different thresholds may be used to define themaximum acceptable opening and closing delays. Determining thisinformation facilitates correct engineering of a firewall system so thatit will handle the expected loads.

Different processors may be tested in a given firewall application todetermine the maximum traffic load they can support for a maximumpermitted closing and/or opening delay. By combining this informationwith expected traffic load information, processors are, in someimplementations, selected based on the testing methods of the presentinvention to match anticipated traffic loads thereby permitting costeffective investment and hardware deployment.

The test methods of the present invention which are used to determineport opening and closing delays may be, and in some embodiments are,used in an active network. In such cases, the amount of test trafficgenerated at any given time is kept to a minimal amount to avoidinterfering with actual traffic. A maximum closing delay threshold isset in some embodiments. The closing delay is monitored through limitedtesting on an ongoing and/or periodic basis. This may be done byestablishing a call from a device having a particular IP addressesassociated with it, directing probe signals at the range of ports whichcan be associated with the particular IP address and measuring openingand/or port closing times based on the time signals are detected passingthrough the firewall and/or stop passing through the firewall throughone or more ports associated with the particular IP address being usedfor the test call. Closing delays approaching and/or exceeding themaximum acceptable closing delay are reported to the security managementsystem. The security management system then takes steps to reduce theload on the firewall, e.g., by modifying network routing parameters toreduce the traffic directed to the firewall and/or by controlling thenode in which the firewall is located to drop traffic, e.g., trafficabove a pre-selected threshold. System administrators are notified ofclosing delay problems so that they can upgrade the affected firewalland/or take other steps to address firewall problems. Correlation fromvarious firewall monitoring modules and/or other devices distributedthroughout the network can be used to analyze in space and timewhen/where a security problem, such as excessive port closing delays, isoccurring and feed the information into an analysis tool to identify aroot cause of the problem and/or the location of the cause of theproblem, thereby enabling further action.

During testing of a system in use, test probe signals are normallydirected to the ports corresponding to a call which is established fortesting purposes with care being taken to avoid directing signals to IPaddress/port combinations which may be used for other calls.Accordingly, the test call and probe test signals do not directly affectcalls associated with IP addresses that are different from the one beingused by the test device of the present invention.

In most but not all embodiments, the IIEPs of the present inventioninclude both signal generation, e.g., traffic and test probe signalgeneration, capabilities as well as monitoring/analysis abilities. Thus,when used in pairs with one IIEP located inside the trusted zone andanother located in the untrusted zone, it is possible to generatetraffic in both directions and determine if the firewall operatesproperly in regard to each of a pair of uni-directional ports that maybe involved in an established test call. The IIEPs of the presentinvention include sufficient logic that one device is able to initiate acall with each device then generating and transmitting test probesignals to check the status of the ports in each direction. The resultsof the firewall testing, determined by each of the IIEPs e.g., in regardto one direction of probe test signal flows, may be combined into asingle report by the IIEPs which operate together in a synchronizedmanner. The analysis module in the IIEP on the trusted side of thefirewall may perform this function.

Our inventive method may proceed in stages, by verifying pinholeoperation according to a set of static rules (IP address and/or portrules) as well as verifying pinhole operation according to a set ofdynamic rules, e.g., rules associated with opening and/or closing portsin response to session signaling in a timely manner. Our inventivemethod advantageously verifies the dynamic rule operation from a trafficsource compliant with the static rules, adding further credence to thecertification of proper dynamic rule operation and compliance.

It should be appreciated that specific potential securityvulnerabilities that may be addressed through our inventive testingmethod include: 1) excessive delay in opening pinholes, resulting in anunintentional denial of service; 2) excessive delay in closing pinholes,creating a closing delay window of vulnerability; 3) measurement of thelength of various windows of vulnerability; 4) setting a threshold on awindow of vulnerability such that it triggers an alert when apredetermined value is exceeded; 5) determination of incorrectlyallocated pinholes, resulting in a denial of service; 6) determining theopening of extraneous pinhole/IP address combinations through a firewallwhich increases the network vulnerability through unrecognizedbackdoors; and 7) determining the inability to correlate call stateinformation with dynamically established rules in the firewall.

Advantageously, our inventive method is applicable to dynamic pinholefiltering as used in conjunction with specific VoIP protocols currentlyin use. More specifically, our method is applicable to the H.323 seriesof recommendations originating from the International TelecommunicationsUnion (ITU) in versions 1 and 2, and the Session Initiation Protocol(SIP) defined by the Internet Engineering Task Force (IETF) in versionsRFC 2543 and RFC 3261.

Numerous additional features and benefits of the methods and apparatusof the present invention will be apparent from the detailed descriptionwhich follows.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a network arrangement according to the presentinvention for SIP call flows.

FIG. 2 illustrates a testing device which may be used as a source offirewall test signals an/or as a device for receiving and analyzing testsignals which pass through a firewall being tested.

FIG. 3 is an alternative representation of the network of FIG. 1 withtest signals directed to and passing through the firewall being shown.

FIG. 4 is a timeline depicting various SIP signaling points and a windowof vulnerability associated with opening and closing ports in responseto SIP signaling.

FIG. 5, which comprises the combination of FIGS. 5A and 5B, is a flowchart illustrating the steps of an exemplary firewall test methodimplemented in accordance with the invention.

FIG. 6 depicts a network test arrangement according to the presentinvention which may be used to test firewall operation in the case ofH.323 signaling.

FIG. 7 is a timeline illustrating various H.323 signaling points and awindow of vulnerability associated with opening and closing ports inresponse to H.323 signaling.

FIG. 8 illustrates an active system subject to firewall monitoring andsecurity control implemented in accordance with one embodiment of theinvention.

FIG. 9 illustrates the firewall monitoring and security steps performedin an active network in accordance with one embodiment of the presentinvention.

DETAILED DESCRIPTION

The present invention is particularly well suited for testing firewallswhich open and close ports in a dynamic manner, e.g., to support sessionsignaling such as for VoIP calls. In such applications, a firewall'sability to reject signals from IP addresses which have not initiated amedia session, e.g., call, or are not being used in an ongoing mediasession is important. A firewall's ability to close and keep closedports which are not being used in active media sessions, e.g., calls,and the ability to open and close ports to allow call signals to passthrough on a dynamic, e.g., per call basis, in a timely manner areimportant to insure network security and a satisfactory level ofservice.

VoIP calls are commonly implemented using SIP or H.323 signaling tomanage call establishment and termination. The methods and apparatus ofthe present invention are well suited for testing firewalls intended foreither type of signaling application. For purposes of explaining theinvention, the firewall testing methods and apparatus of the presentinvention will first be discussed in the context of a SIP application.As will become apparent, from the discussion which follows, theinvention is not limited to SIP and can be used with a wide range ofsignaling protocols and firewall applications where ports in a firewallare opened and closed dynamically, e.g., H.323 protocol.

SIP calls are typically conducted in three steps, namely, 1) CallRegistration, 2) Call Signaling, and 3) Call Media Exchange. The CallRegistration and Call Signaling steps are both carried out using a wellknown port (p: 5060) and for which firewall static rules may be defined.

The signaling exchange includes a negotiation/selection of two logicalports (talking and listening), which then carry the media exchange(voice conversation) for a normal call. These talking and listeningports are dynamically chosen from a range of allowed ports, used for theduration of the call, and then released. Since they are chosendynamically, their identification normally cannot be predicted inadvance.

The port information can however, be determined from the specificsignaling message(s) that include the logical port assignment functions(INVITE, 200 OK). Thus, the port information can be determined bymonitoring and/or examining the appropriate messages as is done invarious embodiments of the invention. Once this information is derived,a state machine may be constructed for the two logical ports involved inthe call and/or a set of information indicating the status of the ports(open/closed) may be generated. The state of the call may then bemonitored for the duration of the call. At the end of the call,corresponding messages (BYE) may be used to trigger the tear-down of thestate machine and the closure of the two logical ports. The time betweenthe BYE message and the actual closing of the ports should be relativelysmall and is monitored in accordance with the invention.

As can be appreciated, the determination of the port information andcall-state monitoring which are used to trigger port closure is animportant function for the proper operation of dynamic pinholefiltering. The architectural placement of these functions depends uponthe processing power of the firewall involved and any performance and/orscalability requirements. Consequently, these functions may beimplemented in, e.g., a router or other device such as device 140 shownin FIG. 1 which operates as a firewall, or distributed to an externalserver, e.g., proxy 150, that communicates to the firewall the identityof the ports to be opened and closed and the initiation of same. Theincorporation of the firewall control proxy functionality 150 into thefirewall 140 is largely an implementation issue which has little bearingon the test methods of the invention. For purposes of explaining theinvention, a firewall 240 will be discussed with the understanding thatthis firewall 240 may be implemented as a single firewall device 140which includes firewall control proxy functionality or as a combinationof a firewall device 140 and a separate firewall control proxy 150.

With further reference now to FIG. 1, there is shown a VoIP networkarrangement that we will use to describe our inventive test method.Specifically, network 100 includes both a trusted user zone 120 and anuntrusted zone 110 separated by a firewall system 240. The firewallsystem 240, referred to hereafter as firewall 240, includes, a firewall140 which may be implemented, e.g., as part of a router, and a FirewallControl Proxy (FCP) 150 which is coupled to the firewall 140. Asdiscussed above, FCP 150 may be incorporated directly into firewalldevice 140. Shown further are Integrated Intelligent End Points (IIEPs)130, 132 implemented in accordance with the present invention. IIEPs130, 132 are placed at appropriate locations within the VoIP network. Inparticular, originating IIEP 130 is positioned “outside” of the firewallwithin the untrusted zone 110 and target IIEP 132 is positioned “inside”of the firewall within the trusted zone 120.

When implemented in the distributed manner shown in FIG. 1, dynamicpinhole function state information (DPFSI) 151 is not located in thefirewall device 140, but rather in the external FCP 150 coupled to thefirewall device 140. The external device, FCP 150, communicates therequired port (pinhole) information to the firewall 140. The pinholeinformation 151 includes port information, e.g., source port address,destination port address, source port number, destination port numberand protocol information for on-going media sessions, e.g., calls.Source and/or Destination IP address information may also be included inthe pinhole information, e.g., DPFSI 151, so that a media signalassociated with IP addresses which do not correspond to an active mediasession can be blocked, e.g., prior to performing filtering on portnumber information. In embodiments where the FCP functionality isincluded in the firewall 140, the firewall device 140 includes DPFSI151.

Using a system 240 such as the one shown in FIG. 1, pinholeapplications, such as those under consideration by the IETF MIDCOMworking group which open and close ports in a firewall dynamically inresponse to session signaling, may be implemented using a combination ofa firewall 140 and a firewall control device FCP 150. In VoIPapplications, this FCP device 150 is normally application level awareand is able to forward messages to other Proxy machines or end stations.While signaling messages, e.g., call setup and termination messages, arestatically allowed to pass through the firewall from “untrusted”sources, as outlined in a firewall rule set, ports for media traffic,e.g., voice signals, are dynamically opened and closed as indicated frommessages sent from the FCP 150 with the DPFSI 151 reflecting theintended media port status at any given time.

So that the invention can be appreciated in the context of a VoIP call,a typical call flow initiated by a device in the untrusted zone 110 willnow be explained with continued reference to FIG. 1. To further aid thereader in following the call flow, it is noted that each of the stepsthat comprise a call flow are numbered sequentially.

In our example, a call is initiated by originating IIEP 130 situated inthe untrusted zone 110 by launching 1: Invite message through firewall140 and then received by firewall control proxy 150. Although firewallcontrol proxy is shown in FIG. 1 as a separate unit, it is possible thatthe functions provided by FCP 150 may exist in firewall 140, as anintegrated unit as discussed previously.

Upon receipt of 1: Invite message by FCP 150, proxy 150 generates a 2:100 Trying message and transmits it to originating IIEP 130 and alsosends a 3: Invite message to destination IIEP 132, situated in trusteduser zone 120.

Destination IIEP 132 then sends 4: 180 Ringing message back to FCP 150which then sends a 5: 180 Ringing message through firewall 140 tooriginating IIEP 130. Message 6: 200 OK is transmitted from destinationIIEP 132 to FCP 150 indicating that the call is being established. FCP150 launches 7: 150 Request Pinhole message to firewall 140 and notifiesoriginating IIEP 130 that call is being set up by forwarding 8: 200 OKmessage through firewall 140 to originating IIEP 130. When firewall 140opens the requested pinhole, it sends 9: Pinhole Opened message to FCP150. Lastly, originating IIEP 130 sends 10: ACK message through firewall140 to FCP 150 where it is forwarded to destination IIEP 132 as 11: ACKmessage. At this point, the call is established, the pinhole is openedthrough firewall 140, and 12: RTP Media Traffic messages carry media,e.g., voice traffic, through the established pinhole, e.g., dynamicallyopened port(s) in the firewall 240.

A guiding thesis in the development of our inventive test method is thattesting should verify that the firewall rule-sets and thus the firewallsystem 240 are properly filtering traffic based upon source anddestination IP addresses, port numbers, and the protocol being used. Thefirewall interface should have ports used for media flows closed, exceptfor those involved in an ongoing session, while those ports specificallyused for signaling should remain open.

In theory, verifying that ports excluded by firewall rules are closedmay be accomplished through the use of a port scanning tool or byreviewing firewall logs. Unfortunately, the design of the User DatagramProtocol (UDP) which is the foundation of Real Time Protocol (RTP),which is often used for SIP Media Traffic, usually makes the use of portscanners inconclusive in VoIP applications. In particular, SIP devicesdo not respond to UDP scans with the expected “ICMP-unreachable”messages which are the primary way to identify what ports are closed ona system. Because of this non-responsiveness, media ports will thereforeappear to be open regardless of the actual state of the firewallpinholes. Consequently, open and closed pinholes will appear to be open,whether or not they have been filtered at the firewall. While firewalllogs, e.g., copies of DPFSI information 151 with time information, canbe used to approximate the window that these ports are open, there is nocertainty that only appropriate traffic is being allowed to pass at agiven time.

In accordance with the present invention, IIEPs (130, 132) can be usedto accurately determine port status and firewall functionality.Advantageously, the IIEPs (130, 132) may have traffic generation (bothVoIP traffic generation and scanning probes) and analysis toolsincorporated within them. In addition, IIEPs (130, 132) should, andoften do, possess the following capabilities: VoIP SIP trafficgeneration for both signaling and media; the ability to generatescanning probes; a promiscuous mode packet analysis; and timing andsynchronization with an external clock thereby permitting accuratesynchronization of IIEPs 130, 132 located inside and outside thefirewall 240. Traffic generation may be peformed by softclients, e.g.,one or more software modules or applications which are used to establishand terminate VoIP test calls.

FIG. 2 illustrates an exemplary IIEP 130 which may be used as the IIEP130 or 132 shown in FIG. 1. The IIEP 130 includes an input/output (I/O)device 170 which operates as an interface to the firewall 240 and toadditional devices and/or systems, e.g., a network management systemand/or external clock signal 260. The IIEP 130 also includes an inputdevice 172, output device 174, processor, e.g., CPU, 176 and a memory160 which are coupled together and to the I/O device 170 via a bus 171.

Input device 172 may be implemented as a keyboard through which a systemadministrator can enter commands and/or other data. Output device 174may be implemented as, e.g., a display and/or printer, and can be usedto display and/or print generated reports and information relatingongoing tests, monitoring and/or firewall test results. CPU 176 controlsoperation of the IIEP 130 including the generation of test signals andreports under control of one or more of the modules stored in memory 160which are executed by CPU 176. Memory 160 includes reports and otherinformation 169 which are generated by monitoring firewall status andperforming various tests as discussed below. Various modules included inmemory include an IP address and/or Port scanning probe generationmodule 162, a traffic analysis and/or report generation module 164,timing/synchronization module 166 and VoIP signaling and mediageneration module 168. IP and/or port scanning probe generation module162 is used to generate test signals in accordance with the invention.Traffic analysis and/or report generation module 164 is used to analyzedetected signals passing through the firewall and generate a report onfirewall operation there from. Timing/synchronization module 166 is usedto synchronize the operation of the IIEP 130 with another IIEP device,e.g., by synchronizing the IIEP operation to an external clock signalsource 260, which is also used by at least one other IIEP device. VoIPsignaling and media generation module 168 is used to generate SIP and/orH.323 compliant call setup and termination signals as required by thetesting process of the present invention. While shown as softwaremodules in FIG. 2, modules 162, 164, 166, 168 may be implemented usinghardware, software, or a combination of hardware and software. In thecase of full hardware implementations, modules 162, 164, 166, 168 areimplemented using circuits outside of memory 160.

Generally speaking, and as used with our method, IIEPs 130, 132 serve astraffic injection tools at a call generation end of a VoIP network andas a traffic analyzer at a target end of the call. Such animplementation is shown in FIG. 3. In such a case, traffic is launchedinto the VoIP network 100 at an originating end, e.g., in untrusted zone110, and subsequently examined at a target end, e.g., inside trustedzone 120, to determine what portion of the launched traffic is able totraverse the firewall 240 and under what conditions. Advantageously, ourinventive test method may be performed in stages, thereby permitting thetest measurements made to be fine-tuned to varying degrees ofgranularity as may be needed for a particular application.

Turning our attention now to FIG. 3, there is shown a simplifiedschematic of the VoIP network 100 as tested by our inventive method. Inparticular, as in FIG. 1, the network 100 comprises both untrusted zones110 and trusted zones 120, separated by firewall 240. IIEP TrafficGenerator 130, located in untrusted zone 110, uses its port scanningmodule 162 and soft client signaling and media generation module 168 aswell as its timing synchronization module 166. IIEP Traffic Analyzer132, which is located in trusted zone 120, uses its traffic analyzermodule 164 for processing detected traffic signals passing through thefirewall 240 and soft client signaling and media generation module 168.Timing and Synchronization signals 260 are received from an externalclock source and/or are exchanged between the IIEP Traffic Generator 130and IIEP Traffic Analyzer 132 to support timing synchronization betweenthe two IIEPs 130, 132. IIEP 132 may also use its port scanning probegeneration module to generate probe signals from inside the firewallallowing IIEP 130 to monitor the status of ports used to communicatefrom inside the trusted user zone 120 to untrusted user zone 110. Thus,it is possible to test pairs of unidirectional ports associated with acall to determine opening and closing delays in each direction of signalflow.

According to our inventive method, in a first stage of testing, thefirewall 240 is probed for compliance with static rules regardingaccepted origination and destination IP addresses. Additionally, and ascan be appreciated by those skilled in the art, it is important toverify that dynamic rule-sets are operating correctly as well. In orderto verify that the dynamic rule-sets are operating correctly, one ormore of the following parameters should be varied through the use oftraffic generation outside the firewall and detection within the trusteduser zone 120:

-   -   Source and Destination Addresses (including addresses on the        trusted 120 and untrusted 110 sides of the firewall 240, across        the supported address ranges);    -   Source and Destination Port Numbers (Across the supported UDP        and TCP range);    -   and IP Protocol Numbers.

In one firewall implementation, IP addresses not legitimated by SIPsignaling as being associated with a call should be rejected regardlessof the port being accessed. Thus, for a media signal having an IP sourceaddress that is not listed in the DPFSI information 151, the firewallshould block the signal regardless of the port which is being accessed.As a result, when the scanning probe generation module 162 of theoriginating IIEP 130 launches test signals from an IP address notassociated with a current call, the firewall's media ports should becompletely closed to those scans originating from the unassociatedaddresses, e.g., the IP address which is not listed in DPFSI information151. Accordingly, in such a situation, the scanning probe should not bedetected across the firewall 240 by the target IIEP 132, as suchtraffic, e.g., test signals, should be blocked by the firewall at the IPaddress filtering state of the firewall filtering process.

In the next stage of testing, and to verify that media ports that arenot defined within the firewall rule-set and not currently dynamicallyallocated are closed, traffic is generated across the supported UDP andTCP port ranges from a source having a legitimated IP address, whilemonitoring this traffic on the destination end. The IP address fromwhich these test signals are launched is legitimated by initiating amedia session, e.g., call, from the IP address prior to generating theport test signals. In particular, the IIEP probe generation module 162of IIEP 130, has an IP address associated with it. This specific IPaddress is used to launch a call, thereby legitimating the specific IPaddress, and resulting in a pair of legitimately opened pinholes, e.g.,uni-directional pinholes, associated with it. From that specific IPaddress however, no traffic directed to any other port used for mediatraffic should be visible by the IIEP analysis module 164 at thedestination end assuming proper operation of firewall 240.

More specifically, the port scanning probe generation module 162 of thetraffic generator 130 probes the full TCP and UDP range with testsignals directed at the firewall's media ports using its legitimated IPaddress as the source address for the test signals. The IIEP analysismodule 164 of the IIEP 132 analyzes arriving traffic that passed throughthe firewall 240 and discriminates between allowed traffic—according tothe firewall rules—and searches for the presence of traffic from theoriginating IIEP Traffic generator 130 addressed to any ports other thanthe port or ports which were associated with the call established by thesource IIEP 130. The expected result is that no traffic other than thataddressed to ports dynamically set for the established call shouldappear at the IIEP traffic analysis module 164 of the IIEP 132 at thedestination end. Accordingly, the presence of traffic proceeding throughany ports other than those dynamically allocated is indicative of afailure in the pinhole implementation and will be reflected in a reportgenerated by the analysis and report generation module 164 of IIEP 132.

As may now be appreciated by those skilled in the art, there exists acomponent to the “window of vulnerability” that results from the closingdelay of the pinhole during the time period between a call effectivelyending and a firewall, being instructed, closing the pinhole. Duringthis “window” component, scanning traffic may still be able to“punch-through” and use the pinhole.

It should be noted that the “window of vulnerability” has at least twocomponents, namely, the actual duration of the call when malicioustraffic may penetrate the firewall and the closing delay window which,as defined above, is the period of time between the call ending and thefirewall closing the pinhole. Of course, if malicious trafficinterrupted a call during its progress, such call disruption may alertthe user or customer to an intrusion. Unfortunately however, detectingmalicious traffic during the closing delay window of vulnerability(CDWOV) is not so straightforward therefore its duration is important toquantify. Fortunately, our inventive method makes this determination.

As noted before and now alternatively stated, the “window ofvulnerability is that period of time beginning when a first media packetis allowed to pass through a firewall pinhole and ending when a lastpacket is able to pass through. With reference now to FIG. 4, there isshown a timeline 300 depicting “window of vulnerability” 380 for a SIPbased call. Specifically, the timeline 300 shown therein depicts thewindow of vulnerability 380, as that period of time between the pinholeopening 320 and the pinhole closing 360.

Of particular interest in a SIP call and as shown in FIG. 4, is openingdelay 330 and closing delay 370. With continued reference to FIG. 4, theopening delay 330 is that period of time between the receipt of an “200OK” message 310 and the opening of the pinhole 320, and the closingdelay 370 is that period of time between the transmission of a “BYE”message 350 and the pinhole actually closing 360.

Of additional interest from a timing perspective are the time periodsbetween an INVITE message and corresponding “200 OK” messages being sentby IIEPs (130 and 132 respectively), to when the window opens at callinitiation 320, and the time period between the sending of the “BYE”message 350 to the window's actual closing—subsequent to calltermination. Fortunately, these values may be determined, by streamingpackets at the pinhole, from a time prior to its opening until after thepinhole's closing and detecting the passage of signals through thepinhole, e.g., port or ports assigned to be used for a call beingestablished. The start of packet streaming at ports to detect pinholeopening is shown in FIG. 4 as point 385 while stopping of streaming ofpackets is shown at point 387. The time interval between the start ofpacket streaming to detect pinhole opening 385 and the stoppage ofpacket streaming to detect pinhole opening 387 is identified asmedia/packet generation/probing interval 390 in FIG. 4.

Advantageously, our inventive SIP testing method can be used to verify anumber of important aspects of calls proceeding according to timeline300 including:

-   -   a) the speed with which a firewall will correlate information        from the INVITE/200 OK messages (305, 310) and the opening of        the pinhole 320, thereby identifying potential “throttling” of        calls; and    -   b) the length of time a pinhole remains open after a call has        terminated, or “closing delay” 370.

In our inventive method, the Closing Delay Window of Vulnerability(CDWOV) may be determined from the time the last packet sent from anoriginating IIEP 130 is detected by a target IIEP 132, less the time ofthe BYE message generation. In practice, there are at least two factorsthat will affect the closing delay window, and in particular, thefirewall processing the information from a BYE packet, and the existenceof a timeout default in the absence of a BYE packet. Additionally, theamount of processing needed to process this information in real-time isdependent upon the speed at which the pinhole is closed and thereforethe “width” of the CDWoV. Generally, an overloaded system will not beable to carry out these functions within established specifications.

The test methods of the present invention can be used to determine theeffect of large loads, e.g., numerous simultaneous or nearlysimultaneous requests, to open and/or close pinholes may have on theability of a firewall 240 to open and close ports in a timely manner. Toload the system for purposes of performing stress testing, the IIEP 130operates as a bulk traffic generator. The volume of requests to open andclose ports can be slowly increased permitting for stress testing andthereby permitting the benchmarking of performance for the firewall'sCPU, beyond which the Closing Delay Window of Vulnerability will becomeso large and so persistent, due to CPU degradation, that the firewallsystem 240 is no longer effective. This benchmarking can be done topredict how closing window delays will vary based on traffic load. Plotsof closing window delay versus traffic load (pinhole open/closingrequest signals) can be useful in determining maximum acceptable trafficloads based on a selected maximum acceptable closing delay for aparticular firewall system 240, e.g., for a firewall with a particularfixed CPU speed.

Other benchmarking that can be performed can be firewall CPU speed vs.traffic load that can be supported given a pre-selected maximum closingdelay. This benchmarking of CPU speed vs. maximum traffic load can havewidespread use in engineering VoIP networks, as important criteria forperformance will be determined by establishing upfront the correct matchbetween an interface rate, and the processing power of a firewall CPUneeded to maintain the dynamic pinhole filtering functionality for thatgiven rate at the perimeter protection devices exposed to that trafficload. Traffic engineering information generated by stress testsimplemented in accordance with the invention can be a useful new toolfor security companies and other service providers trying to design andmaintain firewalls which can support dynamic firewall operations forvarious traffic loads.

Firewall stress testing implemented in accordance with the invention isintended to be performed off-line in a testing environment and not in alive system as the stress-testing is likely to cause disruptions to areal-time system and interfere with actual network traffic. However, aswill be discussed below, limited testing of firewall operation can, andin various embodiments is, performed in accordance with the presentinvention in operational systems as part of a security managementsystem.

To perform stress testing, two IIEPs 130, 132 are situated on eitherside of the firewall 240 as shown in FIG. 3 for the SIP case. The H.323system will look functionally the same for stress testing, e.g., thesetup shown in FIG. 6 may be used. The originating IIEP trafficgenerator 130 operates in bulk mode during maximum stress testinginjecting traffic, e.g., signals to cause pinholes to open and/or close,at the maximum rate allowed by the firewall interface. The target IIEP132 monitors the ever lengthening of the Closing Delay Window ofVulnerability as the firewall CPU is stressed by increasing amounts oftraffic and becomes unable to process the “close pinhole” messages,e.g., due to firewall CPU overloading.

A graphic display of the Closing Delay Window of Vulnerability isgenerated in some embodiments on the IIEP's output device providing anindication of the cutoff point at which the firewall's CPU can no longerprocess the dynamic pinhole filtering function in a timely manner,leaving pinholes open for increasingly longer times. From the graphicdisplay a system administrator can determine a maximum permissibletraffic flow above which traffic is to be cutoff to maintain properfirewall operation. Upon encountering the cutoff threshold in an actualimplementation, traffic is dropped. A new CPU may be added to thefirewall device, or to FCP, in order to return system to normalperformance within specifications at actual level of loadingencountered.

FIG. 5, which comprises the combination of FIGS. 5A and 5B, illustratesthe steps 500 of an exemplary firewall test method of the presentinvention. The method 500 is applicable to both SIP signalingapplications and H.323 applications but for purposes of explaining theinvention will be discussed in the context of the SIP compatible testingsystem shown in FIG. 3. The method includes steps for testing bothstatic firewall rules as well as dynamic firewall filtering, e.g.,filtering corresponding to the opening and closing of pinholes. Staticrule testing is performed first. The testing method concludes withtesting based on increasing volumes of traffic which provide stressbased test results and information about pinhole closing delayscorresponding to different levels of traffic, e.g., levels of signalingused to cause pinholes to be opened and/or closed.

The testing method 500 begins in start step 502 wherein IIEPs 130, 132are initialized. In step 504, the traffic generator IIEP 130 sends probesignals directed at the firewall 240 using as a source address, an IPaddress that is not associated with any ongoing media session, e.g., acall. Since the IP address has not been legitimated through SIP sessionsignaling, it will not be listed in DPFSI information 151 and the probesignals should be blocked by firewall 240. In step 506, the target IIEP132 monitors to detect any probe signals passing through the firewallthat were generated in step 504. Next, in step 508 an error report isgenerated by the destination IIEP 132 listing any ports used for mediatraffic through which probe signals from the illegitimate IP addresspassed.

With testing of the firewall's ability to block signals from IPaddresses which have not be legitimated through session signalingcompleted, operation proceeds to step 510 wherein a session signal,e.g., call establishment signaling, is initiated by the signal generatorIIEP 130 using an IP address associated with IIEP 130. As a result ofthis signaling, the firewall system 240 will assign one or more ports,e.g., a pair of ports, to be used with this specific IP address for thecall being established and a corresponding IP address and portinformation entry will be made in DFSI information 151. Once legitimatedin this manner, the specific IP address associated with IIEP signalgenerator 130 will be used to transmit test probes at the full set ofports supported by the firewall 240 through which media traffic can bedirected. In regard to the port assigned for call signals from thetrusted zone 120 to the untrusted zone 110, an IP address assigned tothe IIEP 132 will be indicated as the source address in DFSI information151 and the IP address associated with IIEP 130 may be indicated as adestination address.

In step 512, the signal generator IIEP 130 sends port test probe signalsdirected at the port(s) capable of carrying media signals from outsidethe firewall 240 using the IP address legitimated in step 510. Then, instep 514, the IIEP 132 monitors to detect test probe signals which passthrough the firewall to detect port opening time(s) and to determinewhich ports are open and which ports are closed. Then in step 515 a portopening delay is determined from the time a signal is detected passingthrough the opened port and the time of a signal used to initiate portopening. A list of open and closed ports generated in step 514 iscompared in step 516 to a list of ports which should be open, e.g., alist of ports included in DFSI information 151. In this manner, in step516, ports which are erroneously open and/or closed are detected.

Next, in step 518, the IIEP 132 generates a report including a list ofany detected open ports which should be closed and any detected closedports which should be open. Operation proceeds from step 518 to step 524via connecting node 520.

In step 521, as session signal to terminate the initiated call isgenerated. Then, in step 522, the IIEP 132 monitors to determine whenprobe signals stop passing through port(s) associated with the initiatedcall. Next, in step 523, at least one port closing delay is determinedfrom the time difference between a signal used to initiate port closingand the actual closing of the port as indicated by the cessation ofsignals passing through the port(s) associated with the call beingterminated. With the opening and closing delays having been determinedfor the single test call, in step 524 probe signals directed to theports corresponding to the terminated test call are stopped. Then, instep 525, a control signal generation control parameter X is initializedto 2.

Step 525 marks the start of firewall load testing. The parameter Xcontrols the number of calls opened or closed at a given point in time.As will be discussed below, this number is incremented to achieve stresstesting beyond the case of low load testing, e.g., as in the case of asingle call setup and close procedure.

Operation proceeds to step 528 wherein X calls are initiated at the sametime causing X ports in the firewall to be opened in each direction. Instep 529 the IIEP 130 acting as a test signal generator transmits probesignals to the full range of firewall ports which can be used tocommunicate media, e.g., voice, signals for the IP addresses used toinitiate the test calls. Then, in step 530 the IIEP 132 monitors todetermine the time(s) and corresponding port opening delays,corresponding to individual calls and/or an average time, to open theports for the calls initiated in step 528. Next, in step 532 the signalgenerator IIEP 130 generates session signals to terminate the X callsstarted in step 528. Then, in step 534, the destination IIEP 132monitors to determine the closing delay associated with individual callsand/or to determine the average closing delay for the X calls beingterminated. The IIEP 132 can determine the time of port closing bydetecting when probe signals cease to penetrate the firewall through aport associated with one of the X calls, while the start time from whichthe closing delay can be determined from the time of a session signalused to trigger the closing of the port.

With the closing delay times and/or average closing delay having beendetermined for the X calls in step 534, operation proceeds to step 535wherein generation of the test probe signals associated with the IPaddresses used to initiate the X calls are terminated. Then in step 536a report is generated on the detected opening and closing times for aload corresponding to X calls.

Next, in step 538, a check is made to determine if a stop criterion hasbeen satisfied. The stop criteria may be a maximum average port closingdelay to which the average generated in step 534 is compared. If a stopcriterion has been satisfied in step 538, e.g., a stop threshold wasmeet or exceeded, operation proceeds to step 544. However, if a stopcriterion was not satisfied in step 538 operation proceeds to step 540wherein X is incremented prior to operation proceeding again to step528, e.g., for testing at a higher level of loading. X may beincremented by a small or large step size depending on the desiredresolution, in terms of load size, of the statistics indicatingincreased loading effects.

As mentioned before, upon some preselected stop criteria being satisfiedin step 538, operation proceeds to step 544 wherein an overall testreport is generated. The overall test report includes informationindicating holes in IP address filtering detected in the static firewallrule testing steps, detected errors in port open/closed status that weredetected, opening and/or closing delays for a single call, and/orinformation indicating the effect of increasing loads, e.g., calls, onthe time required to open and/or close ports in the firewall 240. Thereport is output in step 546 e.g., in the form of printed and/ordisplayed charts and/or text information listing the detected errors andpinhole opening and closing delays for different loads.

With the generated reports being output by the IIEP 132, the testprocedure stops in step 548.

Advantageously, as discussed above the inventive methods of the presentinvention are not limited to specific protocols. In particular, it iswell suited to H.323 based calls as well as others. H.323 calls andsignaling will now be briefly discussed to facilitate an understandingof how the test methods of the present invention can be used in H.323based systems. As will become apparent, the FIG. 5 test method isapplicable to firewall systems that work with H.323 signaling.

H.323 calls are typically conducted in three steps, namely, 1) CallRegistration, 2) Call Signaling, and 3) Call Media Exchange. The CallRegistration and Call Signaling steps are carried out using well knownport(s) (p: 1719/1720) which are the same and for which firewall staticrules may be defined.

The session establishment signaling exchange includes anegotiation/selection of two logical ports (talking and listening),which carry the media exchange (voice conversation) for a normal call.These talking and listening ports are dynamically chosen from a range ofallowed ports, used for the duration of the call, and then released.Since they are chosen dynamically, their identification normally cannotbe predicted in advance.

They can however, be determined from the specific signaling message(s)that include the “open logical channel” function (H.225/H.245OpenLogicalChannel, H.225/H.245 OpenLogicalChannel ACK). The portinformation may be determined by examining the appropriate messages.Once this information is derived, a state machine may be constructed forthe two logical ports involved in the call and the state of the call maythen be monitored for the duration of the call. An information table,the same as or similar to, the DPFSI 151 shown in FIG. 1 is normallyalso constructed in the firewall system 641 shown in FIG. 6. At the endof the call, corresponding messages (CALL RELEASE) may be used totrigger the tear-down of the state machine and the close of the logicalports just used for the call.

As can be appreciated, the determination of the port information andcall-state monitoring are two functions which are important for theproper operation of dynamic pinhole filtering. The architecturalplacement of these functions depends upon the processing power of thefirewall involved and any performance and/or scalability requirements asin the case of the SIP implementation previously discussed.Consequently, and as noted before with SIP architectures, thesefunctions may be implemented for H.323 architectures in a firewalldevice 640, or distributed to an external firewall control proxy 650that communicates to the firewall device 640 the identity of the portsto be opened and closed and the initiation of same as shown in FIG. 6.

Turning our attention now to FIG. 6, there is shown a VoIP networkarrangement 600 that we will use to describe our inventive test methodas it applies to the H.323 protocols. Specifically, network 600 includesboth a trusted user zone 620 and an untrusted zone 610 separated by afirewall device 640. The firewall device 640 operates in conjunctionwith firewall control proxy 650 as a firewall system 641 which may bereferred to simply as the firewall 641.

Shown further are Integrated Intelligent End Points (IIEPs) 630, 632,placed at appropriate locations within the VoIP network 600. Inparticular, originating IIEP 630 is positioned “outside” of the firewallwithin the untrusted zone 610 and target IIEP 632 is positioned “inside”of the firewall within the trusted zone 620.

As with the SIP protocols described earlier, the IIEPs (630, 632) usedfor H.323 protocols may have traffic generation (both VoIP trafficgeneration and scanning probes) and analysis tools incorporated withinthem. Additionally, H.323 IIEPs should possess the followingcapabilities: VoIP SIP traffic generation (softclients) for bothsignaling and media; the ability to generate scanning probes; apromiscuous mode packet analysis; and timing and synchronization with anexternal clock. The exemplary IIEP 130 shown in FIG. 2 may be used inthe system 600 as any one of the IIEPs 630, 632. In such an embodiment,the IIEP 130 generates signals compliant with H.323.

Generally speaking, and as noted before, IIEPs 630, 632 serve as trafficinjection tools at a call generation end of a VoIP network 600 and as atraffic analyzer at a target end of the call. As such, traffic islaunched into the VoIP network at an originating end and subsequentlyexamined at the target end to determine what portion of the launchedtraffic is able to traverse the firewall 641 and under what conditions.As with the SIP method, our inventive method for H.323 protocols may beperformed in stages.

A typical H.323 call flow can be understood with continued reference toFIG. 6. Specifically, a call is initiated by originating IIEP 630situated in the untrusted zone 610 by launching 1: OpenLogicalChannelmessage through firewall device 640 which is then received by FCP 650.As noted before with the SIP method(s), the functions provided by FCP650 may be integrated into firewall device 640.

Upon receipt of 1: OpenLogicalChannel message by FCP 650, FCP 650generates a 2: OpenLogicalChannel ACK message and transmits it tooriginating IIEP 630 and also sends a 3: OpenLogicalChannel message todestination IIEP 632, situated in trusted user zone 620.

Destination IIEP 632 then sends 4: OpenLogicalChannel ACK message backto FCP 650 and then sends a 5: OpenLogicalChannel message to FCP 650.FCP 650 then sends a 5a: OpenLogicalChannel ACK message to IIEP 632 anda 6: OpenLogicalChannel message through firewall device 640 tooriginating IIEP 630.

FCP 650 launches 7: Request Pinhole message to firewall device 640.Originating IIEP 630 acknowledges the channel opening with 8:OpenLogicalChannel ACK message sent to FCP 650. When firewall device 640opens the requested pinhole, it sends 9: Pinhole Opened message to FCP650.

At this point, the call is established, the pinhole is opened throughfirewall 641, and 12: RTP Media Traffic messages carry media through theestablished pinhole.

According to our inventive method and similar to that described for theSIP protocol, in a first stage of testing, the firewall 641 is probedfor compliance with static rules regarding accepted origination anddestination IP addresses. Additionally, and as can be appreciated bythose skilled in the art, it is important to verify that dynamicrule-sets are operating correctly as well. In order to verify that thedynamic rule-sets are operating correctly, the following parameters maybe varied in traffic generation:

-   -   Source and Destination Addresses (including addresses on the        trusted 620 and untrusted 610 sides of the firewall 641, across        the supported address ranges);    -   Source and Destination Port Numbers (Across the supported UDP        and TCP ranges);    -   and IP Protocol Numbers.

According to our method, IP addresses not legitimated by H.323 signalingas being associated with an ongoing media session, e.g., call, should berejected regardless of the port being accessed. Additionally, when thescanning probe generation module 162 of the originating IIEP 630 islaunched from an IP address not associated with a current call, thefirewall ports used for media traffic should be completely closed tothose scans originating from the unassociated IP addresses. Accordingly,in such a situation, the scanning probe signals should not be detectedacross the firewall 641 by the target IIEP 632, as such traffic shouldbe blocked by the firewall 641 at the IP address level of filtering.

In the next stage of H.323 testing, and to verify that ports that arenot currently allocated to a media session are closed, traffic isgenerated across the full UDP and TCP port ranges from source 630 havinga legitimated IP address, while monitoring this traffic on thedestination end at IIEP 632. In particular, the IIEP 630 which operatesas a traffic generator, having an IP address associated with it, is usedto launch a call that will have a pair of legitimately opened pinholes,e.g., ports, associated with it. From that specific legitimated IPaddress however, no traffic directed to other ports used for media flowsshould be visible to the analysis module of the IIEP 632 at thedestination end.

More specifically, the scanning probe signals launched from the IIEP 630which operates as a test signal generator uses the legitimate IP addressto probe the full TCP and UDP range of ports which may be used for mediatraffic. The IIEP 632 operating as a traffic analyzer performs analysison the arriving traffic that passes through the firewall 641 to detectwhich ports were erroneously opened and/or closed. The expected resultis that no traffic other than that addressed to ports associated withthe established call should appear at the IIEP 632 at the destinationend. Accordingly, the presence of traffic proceeding through any portsused for media flows other than those dynamically allocated as part ofthe established call is indicative of a failure in the pinholeimplementation.

With reference to FIG. 7, which shows a timeline of H.323 call eventsand resulting windows of vulnerability and delays, the opening delay 730may be measured as the period of time between the receipt of an“OpenLogicalChannel ACK” message 710 and the opening of the pinhole 720,while the closing delay 770 can be measured as the period of timebetween the transmission of a “CloseLogicalChannel ACK” message 750 andthe pinhole actually closing 760.

Of additional interest for the H.323 protocol are the time periodsbetween an CallSetUp/CallProceeding message and corresponding“H.225/H.245 OpenLogicalChannel/OpenLogicalChannel ACK” messages beingsent by IIEPs 630, 632, to when the window opens at call initiation 720,and the time period between the sending of the “H.225/H.245CloseLogicalChannel/CloseLogicalChannel ACK” message 750 to the window'sactual closing—subsequent to call termination. Fortunately, andaccording to our inventive method, these values may be determined bystreaming packets at the pinhole, from a time prior to its opening untilafter the pinhole's closing, a media packet generation/probing timeinterval 790 of FIG. 7. Start and end time of media packetgeneration/probing time interval 790 are shown on the timing diagram 700of FIG. 7 as points 785 and 787 respectively.

Advantageously, and similar to the advantages for the SIP methoddescribed before, our inventive H.323 testing method verifies a numberof important aspects of calls proceeding according to timeline 700including:

-   -   the speed with which a firewall will correlate information from        the H.225/H.245 OpenLogicalChannel/OpenLogicalChannel ACK        messages (710) and the opening of the pinhole 720, thereby        identifying potential “throttling” of calls; and the length of        time a pinhole remains open after a call has terminated, or        “closing delay” 770.

As used with the H.323 protocol, the Closing Delay Window ofVulnerability (CDWOV) may be measured as the time the last packet sentfrom an originating IIEP 630 is detected by a target IIEP 632, minus thetime of the CloseLogicalChannel message generation. As before, there areat least two factors that will affect the closing delay window, and inparticular, the firewall processing the information from a H.225/H.245CloseLogicalChannel/CloseLogicalChannel ACK packet, and the existence ofa timeout default in the absence of a H.225/H.245 CloseLogicalChannelACK packet.

Of course, the amount of processing needed to process this informationin real-time is dependent upon the speed at which the pinhole is closedand therefore the “width” of the CDWoV. Generally, an overloaded systemwill not be able to carry out these functions within establishedspecifications, and an alert may be generated when a predeterminedthreshold width of the CDWoV is met or exceeded in a system whichmonitors for such delays while in use as will be discussed below.

FIG. 8 a communications network system 800, wherein the firewall testingand firewall control methods of the present invention are used in anactive communications network to detect firewall faults, excessiveopening and/or closing delays and to generate alert signals which areused to alert a security management system to firewall problems. Inresponse to receiving a firewall alert signal, the security managementsystem 815 can take one or more of a variety of actions to address thefirewall problem.

The communications network 800 includes an untrusted zone 810 and atrusted zone 820. First and second firewall systems 810, 820 are used toseparate the untrusted zone 810 from the trusted zone 820. The untrustedzone 810 includes a plurality of nodes, e.g., end node Y 830 and endnodes 832, 834. End nodes may be, e.g., user terminals or other userdevices. End node 830 is coupled to the first firewall system 810 bynetwork node 1 and to the second firewall system 820 by network node 2.Network nodes may be e.g., routers, which route traffic according torouting information including, in some cases weights associated withparticular paths. End nodes 832 and 834 are coupled to the secondfirewall system by network node 2 836 and to the first firewall system810 through network node 1 via its connection to network node 2 836.Thus, end nodes 830, 832, 834 have two available paths over which mediasignals can be routed into the trusted network zone 820.

Trusted network zone 820 includes a security management system 815 whichhas routing control links 841, 843 to network nodes 836, 838. It is alsocoupled to firewall system 1 810 and firewall system 2 820. In additionthe security management system 815 is coupled to a pinhole firewallmanagement system which generates alarms that are sent to the securitymanagement system 815 when a pinhole closing delay is detected to havebeen exceeded at one of the firewall systems 810, 820. Pinhole firewallmanagement system 822 receives pinhole information 824 form each of thefirewall systems 810, 820 and generates alarms as needed. The first andsecond firewall systems 810 and 820 are both coupled to the thirdnetwork node 840 which, in turn, is coupled to end node X 842. Thus, theend nodes on both sides of the trusted zones have multiple paths throughwhich messages can be communicated between the trusted and untrustedzones 820, 810. Security management system 815 can take several actionsin response to receiving a closing delay alarm including signaling thefirewall device 140 which triggered the alarm to drop or refuse to passnew session requests to thereby reduce loading, signal systemadministers to upgrade or take other action in regard to the firewallsystem 810, 821 which generated the alarm and or signal network routers838, 836 to modify the network routing to reduce the load on thefirewall which trigger the alarm. In this manner, assuming the thresholdfor generating the alarm is set at a level where security has not yetbeen jeopardized due to excessive delays, corrective measure can betaken before a security problem occurs.

Each of the first and second firewall systems 810, 820 includes afirewall 130 as well as IIEPs 130, 132. In the active networkembodiment, the IIEPs provide ongoing and/or periodic testing usingsignaling which places relatively little loading on the firewall system130. Thus, during active system use, stress testing is avoided to reducethe risk of interfering with legitimate traffic passing through thefirewall system 130. In the active system embodiment, care is taken toavoid directing test signals to ports which are in used for ongoingmedia sessions as indicated by DPFSI information 151 and to avoid stresstesting. Otherwise, testing may be performed in the same way asdescribed with regard to the FIG. 5 example. In some embodiments,testing of active systems is limited to determining closing delay. Insome cases, this is done by having the IIEP 132 monitor signaling andport closing log information 131 obtained from firewall device 140. Insuch an embodiment transmission of test signals from IIEP 130 can beminimized or avoided. In other embodiments opening and/or closing delaysare determined by the IIEP 132 through the use of test signals aspreviously described.

FIG. 9 illustrates the firewall monitoring and security steps 900performed in an active network in accordance with one embodiment of thepresent invention.

The monitoring/testing process 900 begins in step 902 with operationproceeding to step 904 wherein firewall operation is tested and/or thecurrent pinhole closing delay associated with at least one communicationsession is established. Next, in step 906, the determined pinholeclosing delay is reported to the pinhole firewall management system 822.The pinhole firewall management system 822 compares the reported closingdelay to a threshold, e.g., a predetermined threshold slightly below themaximum acceptable pinhole closing delay. If the threshold is notexceeded no alarm is generated and monitoring operation continues fromstep 904.

However, if the closing delay threshold is exceeded, indicating aloading or other firewall problem, operation proceeds to step 910. Instep 910 and alarm is generated and sent to the security managementsystem 815. The alarm signal normally indicates the firewall that wasresponsible for the generation of the alarm, i.e., the firewall 810 or821 exhibiting large port closing delays.

The security management system 815 responds to the alarm by performingone or more actions including: 1) adjusting network routing to reducethe load on the firewall system 810 or 821 which triggered the alarm; 2)control the firewall system 810 or 821 which triggered the alarm to redrop traffic or refuse new sessions to reduce the closing delay and/or3) generate a signal or other output to notify a system administrator ofthe alarm condition so that corrective measures can be taken such asupgrading of the firewall system 810 or 821 which generate the alarm.

Operation proceeds from step 912 back to step 904 so that monitoring ofthe firewall system can continue while the network 800 remains inoperation.

Thus, a system 800 implemented in accordance with the invention canmonitor to make sure that the windows of vulnerability remain withincriteria according to a design specification, with the issuance ofalarms in the event of threshold crossings of windows of vulnerabilitypermitted widths and/or excessive closing delays. The system will alertsecurity monitoring personnel in real-time when a firewall system 810,821 is leaving open windows of vulnerability that can be exploited by anintruder to gain access to network. This methodology is equallyapplicable to H.323 and SIP based systems. The testing method of theinvention can be used to monitor whether a firewall implementation isworking properly during operation, free of software malfunctions, or issubject to problems because of intermittent faults when the firewallsystem 810, 821 is performing at the limit of its traffic capabilities.The monitoring system 822 is a real-time system that monitors firewallinterfaces at periodic intervals or on a continuous basis feedinginformation up to the security management system 815.

The testing component set up may be generally the same as that describedin regard to FIG. 1. The setup shown in FIG. 8 can work with SIP orH.323 signaling.

In various implementations, the two IIEPs 130, 132 are situated oneither side of the firewall device 140 which is included in each of thefirst and second firewall systems 810, 821. The originating IIEP 130sends test traffic probes periodically across the firewall device 140.The purpose of the intermittent test probes is to obtain measurements ofthe CDWoV and to verify that illegitimate traffic originated from theIIEP 130 will not pass through the firewall device 140. Thesemeasurements are performed using the previously described methodologies.It is likely that as the firewall device 140 is stressed with usertraffic, the window of vulnerability may increase or the firewall 140may be breached by packets that have not been validated throughsignaling. Either event should be detected resulting in a report to thepinhole firewall management system 822 and generation of an alarm whichis sent to the security management system 815.

Security management system 815, in some embodiments, operates as a rootcause analysis tool which uses logic, e.g., one or more analysissoftware modules, to process alarm signals received from the alarmgeneration components of various firewalls over a period of time. Theanalysis is used to locate the cause, e.g., source of signals, causingone or more alarms. The security management system 815 also includes amodule for predicting future alarms so that preventive actions, e.g.,upgrading of firewall hardware, can be taken.

Thus, in at least some embodiments the security management system 815includes a receiver for receiving alarms from a plurality of differentalarm generation devices located at different locations, e.g., indifferent firewalls and a module for analyzing alarms received fromdifferent alarm generation devices, over a period of time, to identifythe location of one or more traffic sources causing alarms during saidperiod of time. The security management system 815 also includes anothermodule or uses the same analysis module to analyze alarms received fromdifferent alarm generation devices, over a period of time, to predictthe occurrence of future security alarms. Thus, the security managementsystem 185 uses distributed probes, e.g., test probes at differentfirewalls through out the communications network which result indifferent alarms being received and uses time and space informationcorresponding to the information obtained from said probes to feed intoa root-cause analysis tool that helps sectionalize a pinholevulnerability problem in time and space for further action in a“predictive” and/or “reactive” manner.

A graphic display of the CDWoV widths may be, and often is, generatedand used to indicate the threshold point at which a firewall CPU can nolonger process the dynamic pinhole filtering function according tospecifications, leaving pinholes open for increasingly longer times. Thegraphic display may be used to indicate dynamically at the pinholemanagement system 822 when this threshold has been exceeded and togenerate an alert (e.g., an authenticated SNMPv3 trap) which can be sentup to a monitoring device capable of understanding traps.

The methodology and management system 822 can be used to correlateinformation from multiple firewall systems 810, 821, which may beimplemented as MIDCOM systems, from devices 151 which control the“pinholes” within the firewalls, and end-to-end testing devices 130, 132used to intermittently verify the functionality and vulnerability of thecomplete firewall system 810, 821. The information from multiple devicescan be correlated and fed into a “root analysis” tool that will providespatial information of where anomalies are occurring within the overallnetwork 800.

It will be apparent to those skilled that many variations to ourinventive methods may be realized. In particular, numerous alternativenetwork architectures and/or protocols may be tested by those skilled inthe art without departing from the spirit and scope of the presentinvention.

1. A method of testing a firewall comprising: transmitting, sessiontermination signals used to terminate established communicationssessions; monitoring to determine port closing delays, said port closingdelays being a delay in time between the time a session terminationsignal is transmitted and the time a port in said firewall is closed inresponse to the transmitted session terminal signal; transmittingsession termination signals at an increased rate through said firewallto cause the closing of ports in said firewall; and measuring the effectof said increased rate of session termination signals on closing delaytimes associated with closing ports in response to transmitted sessiontermination signals.
 2. The method of claim 1, further comprising:generating a report indicating the effect of an increasing rate ofsession termination signals on port closing delays.
 3. The method ofclaim 1, wherein said transmitting session termination signals at anincreased rate includes transmitting more termination signals at a giventime than are transmitted during said step of transmitting, sessiontermination signals used to terminate established communicationssessions.
 4. A method of testing a firewall, comprising: transmitting asignal, said signal being one of: a session initiation signal toinitiate a communications session through said firewall and a sessiontermination signal used to terminate an established communicationssession; and monitoring to determine from the time of the transmissionof said signal one of: i) a port opening delay which occurs between atime of transmitting said signal, when said signal is a sessioninitiation signal, and opening a port in said firewall for acommunications session that is being initiated by said signal, and ii) aport closing delay which occurs between a time of transmitting saidsignal, when said signal is a session termination signal, and closing aport in said firewall as part of terminating an establishedcommunications session in response to said transmitted signal.
 5. Themethod according to claim 4, wherein said at least one of a port openingdelay and a port closing delay is a port closing delay.
 6. A method oftesting a network firewall comprising: transmitting a session signal toterminate an ongoing communications session being conducted through atleast one port of said firewall; and measuring a port closing delay timeassociated with the closing of said at least one port following thetransmission of said signal to terminate said communications session. 7.The method of claim 6, wherein said port closing delay is a time periodwhich occurs between the time a signal used to cause the closing of theport is detected and said port ceases to allow communications signals topass through from the first side of said firewall to the second side ofsaid firewall.
 8. The method according to claim 7, further comprisingthe steps of: transmitting test signals at said port prior to theclosing of said port; and monitoring the port to determine when saidtest signals cease passing through said port.
 9. The method of claim 6,wherein said session signal is at least one of SIP and H.323 compliantsignals.
 10. A method of testing a network firewall, comprising:transmitting a session signal to initiate a communications session to beconducted through said firewall; transmitting test signals to at leastone port on a first side of said firewall; determining a time when saidtest signals first pass through said at least one port, said at leastone port being opened in response to said signal to initiate acommunications session; and determining a port opening delay whichoccurs in regard to opening a port in said firewall for saidcommunications session from said determined time.
 11. The method ofclaim 10, wherein said port opening delay is a time period which occursbetween a time a signal used to cause the port for said communicationssession to open is detected and said port allows a signal to passthrough from the first side of said firewall to the second side of saidfirewall.
 12. The method according to claim 11, further comprising thestep of: transmitting another session signal to terminate saidcommunications session; and monitoring a port closing delay timecorresponding to a port closing delay which occurs in regard to closingthe port in said firewall that was opened for said communicationssession.
 13. The method of claim 12, wherein said port closing delay isa time period which occurs between the time a signal used to cause theclosing of the port is detected and said port ceases to allowcommunications signals to pass through from the first side of saidfirewall to the second side of said firewall.
 14. A firewall testapparatus, comprising: a session signaling module for generating sessionsignals used to initiate a communications session to be conductedthrough a firewall to be tested and to terminate a communicationssession after it has been initiated; a scanning probe generation modulefor generating probe signals to be directed at firewall ports; a timingsynchronization module for synchronizing operation of said firewall testapparatus to at least one of an external clock source and anotherfirewall test apparatus; and an analysis module for determining at leasta port closing delay from a session signal time and a time probe signalsare detected to stop passing through a port in said firewallcorresponding to an initiated communications session.
 15. The firewalltest apparatus of claim 14, wherein said analysis module furtherincludes means for determining at least a port opening delay from asession signal time associated with a session signal used to initiate acommunications session and a time probe signals are detected to startpassing through a port in said firewall corresponding to the initiatedcommunications session.
 16. A firewall test system for testing afirewall, comprising; a test signal generator for generatingcommunications session initiation signals and probe signals directed ata first side of said firewall; and a test signal analyzer for detectingprobe signals passing through said first side of said firewall to saidsecond side of said firewall and for determining port closing delays asmeasured from the time the test signal analyzer detects a signal used toclose a port in said firewall and said analyzer ceases to detect testsignals passing through said firewall.
 17. The firewall test system ofclaim 16, wherein said test signal generator further includes: means forestablishing a communications session through said firewall usingsession initiation signals prior to transmitting at least some of saidprobe signals.
 18. The firewall test system of claim 17, wherein saidtest signal generator includes means for synchronizing test signalgeneration to an outside clock source; and wherein said signal analyzerincludes means for synchronizing device operation with said outsideclock source.
 19. A method of testing a firewall, comprising the stepsof: transmitting session termination signals used to control terminationof communications sessions through said firewall at an increasing rate;and measuring the effect of the increasing rate of session terminationsignals on port closing delays associated with the termination ofcommunications sessions through said firewall.
 20. The method of claim19, further comprising; determining the session signal rate whichresults in a maximum acceptable port closing delay being exceeded. 21.The method of claim 20, wherein said transmitted session signals are atleast one of SIP signals and H.323 signals.